I'm trying to set up a security restriction on an EJB's methods, but I'm running into a couple of confusing problems.
The first problem is that my client is able to connect to the server and call the EJB methods freely, regardless of what kind of security I try to assign to the methods; for example:
The second problem is that my client can connect to JBoss, get a reference to this EJB and call its methods without providing any authentication at all; or even if it provides completely bogus authentication:
Hashtable ht = new Hashtable();
ht.put(Context.URL_PKG_PREFIXES, "org.jboss.naming:org.jnp.interfaces" );
DataServicesHome home =
(DataServicesHome) (new InitialContext(ht)).lookup(DataServicesHome.JNDI_NAME);
dataServices = home.create();
I don't understand why this code is allowed to even connect to JBoss at all, let alone execute a security-protected method. (It runs with no exception).
The third problem is that while I am aware that the role name I define in my ejb-jar.xml file is not the same as the role names defined in my roles.properties file, I have not found any information as to how to create an association between the two.
Thanks for your help.
I think you ahve not enabled security for the ejb-app. What does the jboss.xml say?